[Openswan Users]
Paul Wouters
paul at xelerance.com
Wed Aug 9 12:44:20 EDT 2006
On Wed, 9 Aug 2006, Greg wrote:
no connection has been authorized" means the conn failed to load. check the error log
or recreate the error using: ipsec auto --replace roadwarrior-l2tp
I have never put an l2tp vpn server behind NAT myself.
Paul
> Date: Wed, 9 Aug 2006 17:23:34 +0200
> From: Greg <gregory.domagala at aliceadsl.fr>
> Cc: users at openswan.org
> To: 'Paul Wouters' <paul at xelerance.com>
> Subject: RE: [Openswan Users]
>
> Thank you still Paul,
>
> My Router: Public IP: 81.127.61.93
> Local IP : 192.168.0.5
>
> My VPN Gateway Local IP : 192.168.0.4
>
> I've tried this
>
> version 2.0
>
> config setup
> interfaces=%defaultroute
> nat_traversal=yes
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:81.127.61.93/32
> # Debug-logging controls :«none» for (almost) none,«all» for lots.
> klipsdebug=none
> plutodebug="none"
>
> conn %default
> keyingtries=1
> compress=yes
> disablearrivalcheck=no
> authby=rsasig
> leftrsasigkey=%cert
> rightrsasigkey=%cert
>
> conn roadwarrior-l2tp
> left=192.168.0.4
> leftcert=cert.pem
> leftprotoport=17/1701
> right=%any
> rightprotoport=17/1701
> rightsubnet=vhost:%no,%priv
> pfs=no
> auto=add
> type=transport
>
> conn block
> auto=ignore
>
> conn private
> auto=ignore
>
> conn private-or-clear
> auto=ignore
>
> conn clear-or-private
> auto=ignore
>
> conn clear
> auto=ignore
>
> conn packetdefault
> auto=ignore
>
>
>
> But it's the same log :(
> I will become insane :)
>
>
>
>
> > -----Message d'origine-----
> > De : Paul Wouters [mailto:paul at xelerance.com]
> > Envoyé : mercredi 9 août 2006 16:46
> > À : Greg
> > Cc : users at openswan.org
> > Objet : RE: [Openswan Users]
> >
> > On Wed, 9 Aug 2006, Greg wrote:
> >
> > > I've change the parameter with my public IP then my private IP, I've
> > > got the same log
> >
> > It needs to be the IP that is *on* the box, not the IP of the NAT gateway
> > in front of it. Also, if your openswan box is NAT'ed, you need to exclude
> > its local LAN range from virtual_private, and clients behind NAT on the
> > same range cannot connect.
> >
> > > I think that will use the hammer on me
> >
> > hammers were mostly for ipsec passthrough dvices :)
> >
> > It saves a lot of time (and money) to give a VPN server its own public IP
> > address. It's really worth an extra DSL line.
> >
> > Paul
> >
> > > Aug 9 07:46:26 darko pluto[8695]: packet from 80.10.28.185:500:
> > ignoring
> > > Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
> > > Aug 9 07:46:26 darko pluto[8695]: packet from 80.10.28.185:500:
> > ignoring
> > > Vendor ID payload [FRAGMENTATION]
> > > Aug 9 07:46:26 darko pluto[8695]: packet from 80.10.28.185:500:
> > received
> > > Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
> > > Aug 9 07:46:26 darko pluto[8695]: packet from 80.10.28.185:500:
> > ignoring
> > > Vendor ID payload [Vid-Initial-Contact]
> > > Aug 9 07:46:26 darko pluto[8695]: packet from 80.10.28.185:500: initial
> > > Main Mode message received on 192.168.0.4:500 but no connection has been
> > > authorized
> > > Aug 9 07:46:26 darko pluto[8695]: packet from 80.10.28.185:500:
> > ignoring
> > > Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
> > > Aug 9 07:46:26 darko pluto[8695]: packet from 80.10.28.185:500:
> > ignoring
> > > Vendor ID payload [FRAGMENTATION]
> > > Aug 9 07:46:26 darko pluto[8695]: packet from 80.10.28.185:500:
> > received
> > > Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
> > > Aug 9 07:46:26 darko pluto[8695]: packet from 80.10.28.185:500:
> > ignoring
> > > Vendor ID payload [Vid-Initial-Contact]
> > > Aug 9 07:46:26 darko pluto[8695]: packet from 80.10.28.185:500: initial
> > > Main Mode message received on 192.168.0.4:500 but no connection has been
> > > authorized
> > > Aug 9 07:46:28 darko pluto[8695]: packet from 80.10.28.185:500:
> > ignoring
> > > Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
> > > Aug 9 07:46:28 darko pluto[8695]: packet from 80.10.28.185:500:
> > ignoring
> > > Vendor ID payload [FRAGMENTATION]
> > > Aug 9 07:46:28 darko pluto[8695]: packet from 80.10.28.185:500:
> > received
> > > Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
> > > Aug 9 07:46:28 darko pluto[8695]: packet from 80.10.28.185:500:
> > ignoring
> > > Vendor ID payload [Vid-Initial-Contact]
> > > Aug 9 07:46:28 darko pluto[8695]: packet from 80.10.28.185:500: initial
> > > Main Mode message received on 192.168.0.4:500 but no connection has been
> > > authorized
> > > Aug 9 07:46:32 darko pluto[8695]: packet from 80.10.28.185:500:
> > ignoring
> > > Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
> > > Aug 9 07:46:32 darko pluto[8695]: packet from 80.10.28.185:500:
> > ignoring
> > > Vendor ID payload [FRAGMENTATION]
> > > Aug 9 07:46:32 darko pluto[8695]: packet from 80.10.28.185:500:
> > received
> > > Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
> > > Aug 9 07:46:32 darko pluto[8695]: packet from 80.10.28.185:500:
> > ignoring
> > > Vendor ID payload [Vid-Initial-Contact]
> > > Aug 9 07:46:32 darko pluto[8695]: packet from 80.10.28.185:500: initial
> > > Main Mode message received on 192.168.0.4:500 but no connection has been
> > > authorized
> > > Aug 9 07:46:40 darko pluto[8695]: packet from 80.10.28.185:500:
> > ignoring
> > > Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
> > > Aug 9 07:46:40 darko pluto[8695]: packet from 80.10.28.185:500:
> > ignoring
> > > Vendor ID payload [FRAGMENTATION]
> > > Aug 9 07:46:40 darko pluto[8695]: packet from 80.10.28.185:500:
> > received
> > > Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
> > > Aug 9 07:46:40 darko pluto[8695]: packet from 80.10.28.185:500:
> > ignoring
> > > Vendor ID payload [Vid-Initial-Contact]
> > > Aug 9 07:46:40 darko pluto[8695]: packet from 80.10.28.185:500: initial
> > > Main Mode message received on 192.168.0.4:500 but no connection has been
> > > authorized
> > > Aug 9 07:46:56 darko pluto[8695]: packet from 80.10.28.185:500:
> > ignoring
> > > Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
> > > Aug 9 07:46:56 darko pluto[8695]: packet from 80.10.28.185:500:
> > ignoring
> > > Vendor ID payload [FRAGMENTATION]
> > > Aug 9 07:46:56 darko pluto[8695]: packet from 80.10.28.185:500:
> > received
> > > Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
> > > Aug 9 07:46:56 darko pluto[8695]: packet from 80.10.28.185:500:
> > ignoring
> > > Vendor ID payload [Vid-Initial-Contact]
> > > Aug 9 07:46:56 darko pluto[8695]: packet from 80.10.28.185:500: initial
> > > Main Mode message received on 192.168.0.4:500 but no connection has been
> > > authorized
> > > Aug 9 07:47:11 darko pluto[8695]: packet from 80.10.28.185:500:
> > ignoring
> > > Delete SA payload: not encrypted
> > > Aug 9 07:47:11 darko pluto[8695]: packet from 80.10.28.185:500:
> > received
> > > and ignored informational message
> > >
> > > Thanks,
> > >
> > > GD
> > >
> > > > -----Message d'origine-----
> > > > De : Paul Wouters [mailto:paul at xelerance.com]
> > > > Envoyé : mardi 8 août 2006 23:59
> > > > À : Greg
> > > > Cc : users at openswan.org
> > > > Objet : RE: [Openswan Users]
> > > >
> > > > On Tue, 8 Aug 2006, Greg wrote:
> > > >
> > > > > conn roadwarrior-l2tp
> > > > > left=%defaultroute
> > > > > leftcert=/etc/ipsec.d/certs/cert.pem
> > > > > leftprotoport=17/1701
> > > > > right=%any
> > > >
> > > > You cannot use both %defaultroute and %any, because then openswan
> > > > cannot determine if it is left or right.
> > > > Since this is the server end, I assume that you know the IP for left=
> > > >
> > > > > Aug 8 23:17:01 darko pluto[4751]: packet from 90.95.19.131:500:
> > initial
> > > > > Main Mode message received on 192.168.0.4:500 but no connection has
> > been
> > > > > authorized
> > > >
> > > > That's because of the reasons above.
> > > >
> > > > Paul
> > > > --
> > > > Building and integrating Virtual Private Networks with Openswan:
> > > > http://www.amazon.com/gp/product/1904811256/104-3099591-
> > 2946327?n=283155
> > >
> >
> > --
> > Building and integrating Virtual Private Networks with Openswan:
> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list